HIPAA: A Few Years Later

Abstract

This article addresses the impact of the Health Insurance Portability and Accountability Act (HIPAA) several years after implementation. The rationale for HIPAA and a clarification of key terms, including covered entities, personal health information, and designated record sets, is reviewed. The impact of HIPAA at work, including increased cost and the complexities of educating employees and patients is assessed. Implications for homeland security, disaster planning, unique patient identifiers, the compilation of personal health records, and research are discussed.

Before examining some of the more serious and scholarly aspects of the Health Insurance Portability and Accountability Act (HIPAA), let’s take a humorous look at a humorous description of how HIPAA may have left you feeling since April of 2003. I’ve been organized, sanitized and now I am HIPPAnoid and HIPAAtized. What this abbreviation really stands for is Highly Intricate Paperwork in Abundant Amounts and the Huge Increase in Paperwork and Aggravation Act. I am a HIPAAchondriac, who complains about HIPAA all the time. I am routinely in a state of HIPAAhypoglycemia because of my low level of understanding about HIPAA regulations. I did a HIPAAectomy for my patients, which required me to remove all their personal health information (PHI) from the medical records and I definitely have a case of HIPPAitis, which I got from getting too much HIPAA in my system (HIPAAdvisory, 2000-2005).

Anyone in the middle of the HIPAA Canyon needs a huge sense of humor to survive and to navigate the landscape.

Anyone in the middle of the HIPAA Canyon needs a huge sense of humor to survive and to navigate the landscape. We can laugh about HIPAA – and doing so is a great way to reduce our stress about the complexities of implementing this legislation - but ultimately we need to get serious about how this legislation changes what we do at work, reduce our confusion, and teach our patients about privacy.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It took five years before the legislation for the Privacy Rule became effective on April 14, 2001, with an April 14, 2003, compliance date. Congress passed the statute and the U.S. Department of Health and Human Services developed the regulations contained within the HIPAA privacy rule (Office of Civil Rights, 2003; Standards for Privacy, 2002). If you are working in the health care system, you should have already participated in one or more HIPAA educational sessions, your patients should be routinely receiving information about HIPAA, and their signatures should be on file, indicating whether or not they approve the disclosure of their personal information from their medical record. The purpose of this article is to review some of the changes that have occurred in the clinical environment as a result of HIPAA implementation. Changes have occurred in cost, educational programs, homeland security and disaster planning, the development of the unique patient identifier, the compilation of personal health records, and research initiatives. First, however, the need for HIPAA will be discussed and key HIPAA terms clarified.

We’ve Always Protected Patient Privacy: Why Did We Need HIPAA?

Today, HIPAA provides increased protection for patient privacy as patients themselves need to authorize the release of their health information.

There has always been a clear moral and ethical obligation for Health Information Management (HIM) professionals to protect privacy (Harman 2001a, 2001b). In 1934, the visionary leader of the HIM profession, Grace Whiting Myers, recognized the moral imperative to protect patient privacy and wrote a pledge which indicated that no clinical information should be given to anyone, except as authorized (Huffman, 1972). This professional value and obligation have been reinforced through several iterations of a professional code of ethics, including the most recent one (AHIMA Code of Ethics, 2004). Today, HIPAA provides increased protection for patient privacy as patients themselves need to authorize the release of their health information.

Privacy is a fundamental right protected by the Constitution (The Privacy Protection Study Commission, 1977). Each state can also have its own legislation that affects access to patient information, and there are differences between these state statutes. We might ask why this legislation was passed in the first place, since there are existing state laws, and health care professionals have always worked to protect patient privacy. The answer is that the federal government needed preemptive legislation that would supercede the state laws so that all patient information would be protected, regardless of where the patient lived or received health care.

The preemptive HIPAA federal legislation accomplishes several things. It protects individuals from losing their health insurance when leaving and/or changing jobs by providing insurance continuity (Portability); and it increases the federal government’s authority over fraud and abuse in the health care arena (Accountability).

Part of the impetus for HIPAA was also the development of the Electronic Health Record (EHR) (Amatayakul 2004; Dick & Steen, 1997; Hanken & Murphy, 2001; Johns 2002; Murphy, Hanken & Waters, 1999). When medical records were handwritten and stored in files in a basement, accessed by very few except for follow-up care or research, privacy was somewhat easier to protect. As we moved patient information to the electronic medium, developed integrated systems across the continuum of care, and released and redisclosed information to many people and agencies which needed access to the information, standardized federal legislation became an imperative.

HIPAA was designed to guarantee that information, transferred from one facility to the next, would be protected. The National Committee on Vital and Health Statistics (NCVHS) supports a National Health Information Infrastructure (NHII) so that patient care information can be transferred and protected in our integrated health care systems. Patients can benefit from this continuity of the care, in addition to being able to control personal health information (Gellman, 2004; National Committee on Vital and Health Statistics, 2001).

In an electronic environment, protecting privacy has become extremely difficult, and patients are becoming increasingly concerned about the loss of privacy and the inability to control the dissemination of the information about them. As patients become more aware of the misuses of information, they may become reluctant to share information with their health care team. This may, in turn, result in difficulty obtaining health care information by providers, researchers, insurers, the government, and the many other stakeholders who legitimately need to gain access to the information. Increasingly, patients are seeking anonymity and are responding to issues related to the use and disclosure of health information for informing family and close personal friends, for directory purposes, for notification purposes (such as in disasters), and for other disclosures required by law to public health departments, employer medical surveillance teams, or funeral directors (Hjort, 2002; Hughes, 2002a, 2002b; Rhodes, 2001).

Clarification of Terms

HIPAA has generated several new terms and abbreviations that must be understood in order to manage the labyrinth of rules and regulations. Three that are important to this discussion include covered entities (CE), personal health information (PHI), and Designated Record Sets (Standards for Privacy, 2002).

Protected health information (PHI) is individually identifiable health information relating to an individual’s past, present, or future physical or mental health condition, provision of health care, or payment for the provision of health care. It also includes names, telephone numbers, addresses, medical record numbers, and Social Security numbers (Office of Civil Rights, 2005).

Designated record sets include information such as medical and billing records. However, peer review documents, appointment and surgery schedules, or employer records would not be considered as part of a designated record set. Patients have the right to inspect and obtain a copy of their medical record and to amend PHI about them in a designated record set. “By using the term designated record set, the privacy rule attempts to relieve organizations of the need to retrieve information from telephone message pads, surgery schedules, appointment logs, and other databases in which individual health information might appear but that is not used to make care or payment decisions about the individual” (Hughes, 2003). Deciding what to include in the designated record set has been and will continue to be a constant struggle for a health care organization.

Impact of HIPAA at Work

The term pattern is key to the application of identifying fraudulent acts.

There is no way for any one article to deal with all of the intricacies of HIPAA implementation over the past few years because there are so many facets of the patient care and documentation systems that have been affected. Here is the “crash course” for some of these initiatives. Websites are included for those who seek additional information, making this online article a helpful resource for many.

HIPAA and the final Privacy Rule have led to the application of sophisticated technologies for controlling access to personal health information, including the identification and authentication of individuals authorized to access information and the establishment of audit trails of those accessing and/or modifying information at the different levels of access (Institute for Health Care Research and Policy, 1999; U. S. DHHS, 2003). The term pattern is key to the application of identifying fraudulent acts. There are real incentives to be compliant, not the least of which is to avoid penalties, which can be severe. Failure to conform to the HIPAA Privacy Rule could result in either civil or criminal penalties. Penalties can be as high as $250,000 and/or prison terms of 10 years for those who sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm (Tomes, 2000). If a patient suffers serious injury from the violation, the penalties could increase to 20 years imprisonment or life if the patient dies (U.S. DHHS and Department of Justice Health Care Fraud and Abuse Control Program, 2003; Office of Civil Rights, 2005; Prophet 1997).

There are many aspects within the health care system that have been affected by HIPAA. A few have been chosen to demonstrate the wide-range of this impact, including the cost of health care, the complexities of educating employees and patients, implications for homeland security and disaster planning, issues related to a unique patient identifier, the compilation of personal health records, and the impact on research initiatives.

Cost of Health Care

Ultimately, the HIPAA goals of simplification and reduced costs will be realized, as the electronic record becomes the norm in health care.

HIPAA has increased patient privacy, even though it may not always feel as though this has happened. The original intentions of this legislation were twofold: standardization and simplification of information transmissions, and cost savings. As we moved from the paper-based medical record, to the standardized electronic health record, there was an expectation of cost savings. Very quickly, compliance initiatives to protect privacy became front and center of everyone’s attention and implementation of these initiatives escalated costs. In the short term, rather than reducing costs, there have been increased administrative costs and complexities for clinical practice. Monies have been spent for educational sessions; the development of pamphlets, booklets, and handouts explaining HIPAA; new consent forms; and the salaries for those who were hired to implement the Privacy Rule. Fundraising has also been affected because patients can no longer be contacted unless the patient has signed a separate authorization, specifically for philanthropy. The CIO at Johns Hopkins predicted it could cost $10 million dollars a year, based on a combination of costs and lost revenues (Blackburn, 2004). Ultimately, the HIPAA goals of simplification and reduced costs will be realized, as the electronic health record becomes the norm in health care.

Education of Employees and Patients

As we increase the ability to share patient information across the continuum of health care, we increase our responsibility to protect that information. Not only must patients be informed about the practices for use and disclosure of their information, they must give written consent to use and disclose the information for treatment, payment, and healthcare operations. HIPPA has also given patients the right to access their health information and to amend this information (Hughes, 2001).

Nurses already understand and respect patient privacy, so they need not let aggravation over the bureaucracy get in the way of advocating for patients.

Now that health care professionals have gone through the initial educational sessions about HIPAA, we must turn our attention to helping our patients understand these complexities. Do they understand the importance of protected health information (PHI)? If not, we need to teach them. Teaching won’t happen overnight, in the busy context of our clinical practices. Teaching must be a collaborative process on the part of many--physicians, nurses, administrative support staff, human resources personnel, and health information management professionals, to name a few. HIPAA obligates the employers to educate the staff, and it obligates all of us to inform patients about privacy. The quicker we can educate our patients, and they, in turn, educate their families, friends, and peers, the quicker we can move into a better cycle of privacy protection being an integral part of our culture (Upham & Gue, 2000-2005).

Whatever teaching is done, we as health care professionals must avoid lying to patients. For example, a statement such as, "You must sign this or your insurance company won’t pay the bill," would be a dishonest, threatening, and inappropriate claim; and it would do nothing to help the patient understand when they should or should not grant access to PHI. It is important to obtain the patients’ signatures, and in so doing to use this opportunity to inform them of their rights. HIPAA forms and documentation cannot be viewed as “just another insurance form” or we will lose sight of the value. Nor can HIPAA be viewed as a frivolous waste of time and energy. Rather, we have an opportunity to educate patients so that we all better understand the importance of patient privacy. Technology costs are the easiest component of this system – the true and higher costs relate to educating our health care team and our patients. This education will be an ongoing process which will result in a true change of the culture. The Computerized Patient Record Institute (CPRI) offers a CPRI Toolkit (free download) for security and education guidelines (Healthcare Information and Management Systems Society, 2003).

Someday HIPAA will be an integral part of clinical practice and will not be such a struggle.

Nurses know best that the one-time educational interventions do not sustain the test of time. Diabetic patients cannot meet with the nurse once and then understand what they need to do. A nurse cannot attend one educational session about HIPAA and know all there is to know about informing patients of the implication. It is important to encourage employers to continue upgrading all employees’ HIPAA knowledge and expertise. Nurses advocating for staff and patients can make that happen. Nurses already understand and respect patient privacy, so they need not let aggravation over the bureaucracy get in the way of advocating for patients. These regulations can feel cumbersome, intrusive on one’s ability to provide care to patients, and even obstructive. It takes time to learn new procedures and to adjust the processes at work. Someday HIPAA will be an integral part of clinical practice and will not be such a struggle.

Homeland Security and Disaster Planning

Given the federal government’s homeland security priority, much leeway has been given to governmental entities to access individuals’ protected health information for specialized government functions (Association for Professionals in Infection Control and Epidemiology, 2002). The standardization and security of health information is essential for homeland security and access to personal information will be necessary in crises, such as epidemics, terrorist attacks, or natural disasters. Health care providers will be required to balance the need to treat patients safely with the need of the government to gain access to information in order to protect citizens. If the disaster is due to terrorism, there will be an additional need to prevent access to information by the terrorists who caused the problem in the first place.

Patient information must still be protected during a disaster; however, HIPAA will allow for notification to a family member about a patient’s location, general condition, or death. There are provisions for disaster-related planning, organizing, and staffing facilities for treatment of patients and also for dealing with media and communication agencies, visitors and relatives, and post-disease recovery. Patient privacy protections will involve identifying patients, tracking tests and specimens, collecting patient valuables, preserving medical and billing documentation, and releasing information (AHIMA Homeland Security Work Group, 2004; Burrington-Brown, 2002).

Unique Patient Identifier

One of the goals of HIPAA is to assign one unique patient identifier that would be used by all covered entities.

At the present time, the same person is assigned many different identification numbers at the various locations for health care. This becomes a complex issue when there is an attempt to link patient information across a continuum of care. As a result of the different numbers, there can be problems with patient safety and medical errors. If a unique number is given to each patient, the health information would be appropriately linked and the unique number could reduce the possibility of error. One of the goals of HIPAA is to assign one unique patient identifier that would be used by all covered entities. This aspect of the legislation is still on hold, due to the complexity of implementation. However, the reduction of medical errors is a national initiative; hence the development of a universal patient identifier needs to occur (JCAHO, n.d.). Development of this unique identifier could be one of the most contentious and controversial aspects of HIPAA.

Personal Health Record

Individuals are compiling their own medical records, based on information from their health care providers and information found at websites (e.g., diseases, drugs, prevention strategies). These secondary records contain private information, and it is not clear whether patients understand the significance or risks of access for what they are collecting on their home computers. The American Health Information Management Association (AHIMA) (http://www.ahima.org/) has done sentinel work in helping patients develop a personal health record. The AHIMA website MyPHR Personal Health Record (http://www.myphr.com/) gives patients and providers information about HIPAA, confidentiality, patients’ rights with regards to their health information, and important links for additional information to support the electronic health records.

Research Initiatives

In the past, patients were rarely contacted for authorizations for use of their medical information for research. Based on HIPAA, patient authorization is required for research, unless a waiver has been granted by an IRB or Privacy Board and the standards require de-identification of data for research purposes. The Privacy Rule adds to the existing legal and ethical obligations for protecting the privacy of patients and clinical research participants. Specific guidelines for seeking patient authorization, identifying, and contacting research participants have been described by Amatayakul (2003); Burrington-Brown, & Wagg, ( 2003); and the National Institutes of Health, (2004).

Conclusion

There was a time, just a few short years ago, that patients did not even know that extensive information was compiled about them and released to others. Their medical record was not on their personal radar screen. Today it is. HIPAA has introduced the public to practices for the release of information to others, and the public continues to be concerned about threats to protecting their private information. This concern was one of the incentives for passing HIPAA legislation in the first place. Patients are learning about privacy. They will want to know more over the years and will need our assistance. Both patient concerns about privacy and employee frustration about the implementation of the HIPAA rules and regulations will continue over the next several years.

Implementation of HIPAA is a process, not a defined outcome that is finished on a certain date in time. As with all complex legislation, there must be an ongoing process of education, implementation, and monitoring which requires an assessment of the interrelatedness of the system factors and identification of problems that must be fixed. It will take a few more years before we can substantiate that this legislation is part of our health care culture. The Privacy Rule affects both handwritten and electronic documentation, and its implementation is just the first stage in a process that will be unfolding for many years. The emerging electronic health medical record must, in fact, accommodate the rules and regulations related to HIPAA.

HIPAA is not the panacea for solving all the problems related to privacy. We need to hold the image of creating a culture in which privacy is authentically protected, not just because of HIPAA legislation, but because we routinely do this in our daily work environment. Hopefully, on balance, the added layers of bureaucracy and the costs incurred will be outweighed by the benefit of protecting patient privacy.

Nurses and health information management professionals have always had patient privacy and advocacy as part of their roles and responsibilities, and that will continue in importance. The protection of private information is difficult, but it is not impossible. There are many honest, ethical people who work every day of their lives to protect information out of a sense of respect and professionalism. We need to know the rules but we also need to use our common sense and trust our instincts as health care professionals.

Summary

HIPAA federal legislation was definitely needed for the protection of patient privacy, for protections against fraud and abuse, and to protect of the ability of citizens to keep health insurance when changing jobs. HIPAA has had a tremendous impact on the clinical environment, including increased cost on the short term for educational programs and administrative structures, increasing complexities of educating employees and patients, the development of issues related to homeland security and disaster planning, and the assignment of a unique patient identifier. It will take a few more years before all of the HIPAA regulations are a routine part of the clinical environment; however, the efforts will be well worth it for our patients.

Authors

Laurinda B. Harman, PhD, RHIA, received a BS in biology with a concentration in medical record administration from Daemen College in Buffalo, New York, an MS in education at Virginia Polytechnic and State University in Blacksburg, Virginia, and a PhD in human and organizational systems at The Fielding Institute in Santa Barbara, California. She has been a Health Information Management (HIM) professional and educator for over thirty-five years and has directed HIM baccalaureate programs at George Washington University in Washington, DC and The Ohio State University in Columbus. She has participated as director of education and human resource development at George Washington University and as a faculty member at Northern Virginia Community College. Additionally, she has participated on grants for interdisciplinary collaborative graduate education and community service learning. Dr. Harman has conducted research on the health information, social, ethical, and legal implications of the use of genetic information and genetic engineering when making reproductive decisions, and has made national presentations on this topic. She has served on national committees for the American Health Information Management Association (AHIMA) and has edited Ethical Challenges in the Management of Health Information, the first and only book of its kind and for which she received the AHIMA 2001 Triumph Legacy Award. A second edition of this book, titled Ethical Challenges: Process and Strategies for Decision-Making, will include over 60 case scenarios with decision matricies and will be available in 2006.

U.S. Department of Health and Human Services and Department of Justice Health Care Fraud and Abuse Control Program. (2003). Annual report for 2002. Retrieved April 20, 2005 from www.usdoj.gov/dag/pubdoc/hcfacreport2002.htm